Copilot Chat left VS Code open to arbitrary code execution - GitHub

External data in prompts could turn LLMs nasty, exploit research discovers.

Using the Copilot Chat extension for VS Code left it vulnerable to prompt injection via external data, GitHub said on Monday, with implications that included information theft and even arbitrary code execution, al la CVE-2025-53773.

GitHub researcher Michael Stepankin said that Claude Sonnet 4 proved the most resistant to test attacks, but could still be reliably tricked – and user attention remains critical to mitigate the threat.

"As models continue to advance, we may eventually be able to reduce the number of user confirmations needed, but for now, we need to carefully monitor the actions performed by the model," wrote Stepankin.

Malicious pull requests

A theoretical attack on a Copilot user in agent mode would use malicious instructions embedded in a GitHub issue or public pull request. When specifically invoked by a user as part of a prompt, those instructions could allow "attackers to leak local GitHub tokens, access sensitive files, or even execute arbitrary code without any user confirmation."

The attack is made possible by VS Code's compilation efforts, which gather relevant files and data and puts it all together before sending a request to the LLM in use. 

The LLM then typically responds with a 'get_issue' tool call, for execution on the GitHub MCP server, with VS Code adding the tool output to the conversation and sending it back to the LLM again, until the model is satisfied the task has been completed.

"VS Code properly separates tool output, user prompts, and system messages in JSON," said Stepankin. "However, on the backend side, all these messages are blended into a single text prompt for inference."

Sensitive tools available to LLMs via VS Code, such as those that install extensions, require user confirmation before running. But supposedly safe tools – which would make the system tedious to use if approval is required – can be exploited. For instance, a tool for testing local websites can be induced to load an external website and send an authentication token in the URL – silently.

Mitigation via tool control

To mitigate the threat, VS Code users can manually select which tools LLMs can use, and must now confirm any file read or write outside the workspace.

GitHub has also highlighted the Workspace Trust option for untrusted repositories, which disables Copilot chat and prevents tasks from running automatically.

It also recommends sandboxing via Developer Containers, a free-to-use tool to interact with code in an isolated Docker container, or GitHub Codespaces, a one-button tool to set up a dedicated cloud VM.